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ABSTRACT 



A data redirection system for redirecting user's data based 
on a stored rule set. The redirection of data is performed by 
a redirection server, which receives the redirection rule sets 
for each user from an authentication and accounting server, 
and a database. Prior to using the system, users authenticate 
with the authentication and accounting server, and receive a 
network address. The authentication and accounting server 
retrieves the proper rule set for the user, and communicates 
the rule set and the user's address to the redirection server. 
The redirection server then implements the redirection rule 
set for the user's address. Rule sets are removed from the 
redirection server either when the user disconnects, or based 
on some predetermined event. New rule sets are added to the 
redirection server either when a user connects, or based on 
some predetermined event. 

27 Claims, 1 Drawing Sheet 
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USER SPECIFIC AUTOMATIC DATA 
REDIRECTION SYSTEM 

RELATED APPLICATION 

This application claims priority of U.S. Provisional Appli- 5 
cation No. 60/084,014 filed May 4, 1998, the disclosure of 
which is incorporated fully herein by reference. 

FIELD OF THE INVENTION 

This invention relates to the field of Internet 10 
communications, more particularly, to a database system for 
use in dynamically redirecting and filtering Internet traffic. 

BACKGROUND OF THE INVENTION 

15 

In prior art systems as shown in FIG. 1 when an Internet 
user establishes a connection with an Internet Service Pro- 
vider (ISP), the user first makes a physical connection 
between their computer 100 and a dial-up networking server 
102, the user provides to the dial-up networking server their 20 
user ID and password. The dial-up networking server then 
passes the user ID and password, along with a temporary 
Internet Protocol (IP) address for use by the user to the ISP's 
authentication and accounting server 104. A detailed 
description of the IP communications protocol is discussed 25 
in Internetworking with TCP UP, 3rd ed., Douglas Comer, 
Prentice Hall, 1995, which is fully incorporated herein by 
reference. The authentication and accounting server, upon 
verification of the user ID and password using a database 
106 would send an authorization message to the dial-up 30 
networking server 102 to allow the user to use the temporary 
IP address assigned to that user by the dial-up networking 
server and then logs the connection and assigned IP address. 
For the duration of that session, whenever the user would 
make a request to. the Internet 110 via a gateway 108, the end 35 
user would be identified by the temporarily assigned IP 
address. 

The redirection of Internet traffic is most often done with 
World Wide Web (WWW) traffic (more specifically, traffic 
using the HTTP (hypertext transfer protocol)). However, 40 
redirection is not limited to WWW traffic, and the concept 
is valid for all IP services. To illustrate how redirection is 
accomplished, consider the following example, which redi- 
rects a user's request for a WWW page (typically an html 
(hypertext markup language) file) to some other WWW 45 
page. First, the user instructs the WWW browser (typically 
software running on the user's PC) to access a page on a 
remote WWW server by typing in the URL (universal 
resource locator) or clicking on a URL link. Note that a URL 
provides information about the communications protocol, 50 
the location of the server (typically an Internet domain name 
or IP address), and the location of the page on the remote 
server. The browser next sends a request to the server 
requesting the page. In response to the user's request, the 
web server sends the requested page to the browser. The 55 
page, however, contains html code instructing the browser to 
request some other WWW page — hence the redirection of 
the user begins. The browser then requests the redirected 
WWW page according to the URL contained in the first 
page's html code. Alternately, redirection can also be 60 
accomplished by coding the page such that it instructs the 
browser to run a program, like a Java applet or the like, 
which then redirects the browser. One disadvantage with 
current redirection technology is that control of the redirec- 
tion is at the remote end, or WWW server end — and not the 65 
local, or user end. That is to say that the redirection is 
performed by the remote server, not the user's local gateway. 
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Filtering packets at the Internet Protocol (IP) layer has 
been possible using a firewall device or other packet filtering 
device for several years. Although packet filtering is most 
often used to filler packets coming into a private network for 
security purposes, once properly programed, they can filter 
outgoing packets sent from users to a specific destination as 
well. Packet filtering can distinguish, and filter based on, the 
type of IP service contained within an IP packet. For 
example, the packet filter can determine if the packet con- 
tains FTP (file transfer protocol) data, WWW data, or Telnet 
session data. Service identification is achieved by identify- 
ing the terminating port number contained within each IP 
packet header. Port numbers are standard within the industry 
to allow for interoperability between equipment. Packet 
filtering devices allow network administrators to filter pack- 
ets based on the source and/or destination information, as 
well as on the type of service being transmitted within each 
IP packet. Unlike redirection technology, packet filtering 
technology allows control at the local end of the network 
connection, typically by the network administrator. 
However, packet filtering is very limited because it is static. 
Once packet filtering rule sets are programed into a firewall 
or other packet filter device, the rule set can only be changed 
by manually reprogramming the device. 

Packet filter devices are often used with proxy server 
systems, which provide access control to the Internet and are 
most often used to control access to the world wide web. In 
a typical configuration, a firewall or other packet filtering 
device filters all WWW requests to the Internet from a local 
network, except for packets from the proxy server. That is to 
say that a packet filter or firewall blocks all traffic originating 
from within the local network which is destined for con- 
nection to a remote server on port 80 (the standard WWW 
port number). However, the packet filter or firewall permits 
such traffic to and from the proxy server. Typically, the proxy 
server is programed with a set of destinations that are to be 
blocked, and packets destined for blocked addresses are not 
forwarded. When the proxy server receives a packet, the 
destination is checked against a database for approval. If the 
destination is allowed, the proxy server simply forwards 
packets between the local user and the remote server outside 
the firewall. However, proxy servers are limited to either 
blocking or allowing specific system terminals access to 
remote databases. 

A recent system is disclosed in U.S. Pat. No. 5,696,898. 
This patent discloses a system, similar to a proxy server, that 
allows network administrators to restrict specific IP 
addresses inside a firewall from accessing information from 
certain public or otherwise uncontrolled databases (i.e., the 
WWW/Internet). According to the disclosure, the system has 
a relational database which allows network administrators to 
restrict specific terminals, or groups of terminals, from 
accessing certain locations. Similarly limited as a proxy 
server, this invention can only block or allow terminals' 
access to remote sites. This system is also static in that rules 
programmed into the database need to be reprogramming in 
order to change which locations specific terminals may 
access. 

SUMMARY OF THE INVENTION 

The present invention allows for creating and implement- 
ing dynamically changing rules, to allow the redirection, 
blocking, or allowing, of specific data traffic for specific 
users, as a function of database entries and the user's 
activity. In certain embodiments according to the present 
invention, when the user connects to the local network, as in 
the prior art system, the user's ID and password are sent to 
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the authentication accounting server. The user ID and pass- 
word are checked against information in an authentication 
database. The database also contains personalized filtering 
and redirection information for the particular user ID. Dur- 
ing the connection process, the dial-up network server 5 
provides the authentication accounting server with the IP 
address that is going to be temporarily assigned to the user. 
The authentication accounting server then sends both the 
user's temporary IP address and all of the particular user's 
filter and redirection information to a redirection server. The 10 
IP address temporarily assigned to the end user is then sent 
back to the end user for use in connecting to the network. 

Once connected to the network, all data packets sent to, or 
received by, the user include the user's temporary IP address 
in the IP packet header. The redirection server uses the filter 15 
and redirection information supplied by the authentication 
accounting server, for that particular IP address, to either 
allow packets to pass through the redirection server 
unmolested, block the request all together, or modify the 
request according to the redirection information. 20 

When the user terminates the connection with the 
network, the dial-up network server informs the authentica- 
tion accounting server, which in turn, sends a message to the 
redirection server telling it to remove any remaining filtering 
and redirection information for the terminated user's lem- 25 
porary IP address. This then allows the dial-up network to 
reassign that IP address to another user. In such a case, the 
authentication accounting server retrieves the new user's 
filter and redirection information from the database and 
passes it, with the same IP address which is now being used 30 
by a different user, to the redirection server. This new user's 
filter may be different from the first user's filter. 
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FIG. 1 is a block diagram of a typical Internet Service 
Provider environment. 

FIG. 2 is a block diagram of an embodiment of an Internet 
Service Provider environment with integrated redirection 
system. 40 

DETAILED DESCRIPTION OF THE 
INVENTION 

In the following embodiments of the invention, common 45 
reference numerals are used to represent the same compo- 
nents. If the features of an embodiment are incorporated into 
a single system, these components can be shared and per- 
form all the functions of the described embodiments. 

FIG. 2. shows a typical Internet Service Provider (ISP) 50 
environment with integrated user specific automatic data 
redirection system. In a typical use of the system, a user 
employs a personal computer (PC) 100, which connects to 
the network. The system employs; a dial-up network server 
102, an authentication accounting server 204, a database 206 55 
and a redirection server 208. 

The PC 100 first connects to the dial-up network server 
102. The connection is typically created using a computer 
modem, however a local area network (LAN) or other 
communications link can be employed. The dial-up network 60 
server 102 is used to establish a communications link with 
the user's PC 100 using a standard communications proto- 
col. In the preferred embodiment Point to Point Protocol 
(PPP) is used to establish the physical link between the PC 
100 and the dial-up network server 102, and to dynamically 65 
assign the PC 100 an IP address from a list of available 
addresses. However, other embodiments may employ dif- 



ferent communications protocols, and the IP address may 
also be permanently assigned to the PC 100. Dial-up net- 
work servers 102, PPP and dynamic IP address assignment 
are well known in the art. 

An authentication accounting server with Auto-Navi com- 
ponent (hereinafter, authentication accounting server) 204 is 
used to authenticate user ID and permit, or deny, access to 
the network. The authentication accounting server 204 que- 
ries the database 206 to determine if the user ID is autho- 
rized to access the network. If the authentication accounting 
server 204 determines the user ID is authorized, the authen- 
tication accounting server 204 signals the dial-up network 
server 102 to assign the PC 100 an IP address, and the 
Auto-Navi component of the authentication accounting 
server 204 sends the redirection server 208 (1) the filter and 
redirection information stored in database 206 for that user 
ID and (2) the temporarily assigned IP address for the 
session. One example of an authentication accounting server 
is discussed in U.S. Pat. No. 5,845,070, which is fully 
incorporated here by reference. Other types of authentica- 
tion accounting servers are known in the art. However, these 
authentication accounting servers lack an Auto-Navi com- 
ponent. 

The system described herein operates based on user Id's 
supplied to it by a computer. Thus the system does not 
"know" who the human being "user" is at the keyboard of 
the computer that supplies a user ID. However, for the 
purposes of this detailed description, "user" will often be 
used as a short hand expression for "the person supplying 
inputs to a computer that is supplying the system with a 
particular user ID." 

The database 206 is a relational database which stores the 
system data. FIG. 3 shows one embodiment of the database 
structure. The database, in the preferred embodiment, 
includes the following fields: a user account number, the 
services allowed or denied each user (for example: e-mail, 
Telnet, FTP, WWW), and the locations each user is allowed 
to access. 

Rule sets are employed by the system and are unique for 
each user ID, or a group of user ID's. The rule sets specify 
elements or conditions about the user's session. Rule sets 
may contain data about a type of service which may or may 
not be accessed, a location which may or may not be 
accessed, how long to keep the rule set active, under what 
conditions the rule set should be removed, when and how to 
modify the rule set during a session, and the like. Rule sets 
may also have a preconfigured maximum lifetime to ensure 
their removal from the system. 

The redirection server 208 is logically located between 
the user's computer 100 and the network, and controls the 
user's access to the network. The redirection server 208 
performs all the central tasks of the system. The redirection 
server 208 receives information regarding newly established 
sessions from the authentication accounting server 204. The 
Auto-Navi component of the authentication accounting 
server 204 queries the database for the rule set to apply to 
each new session, and forwards the rule set and the currently 
assigned IP address to the redirection server 208. The 
redirection server 208 receives the IP address and rule set, 
and is programed to implement the rule set for the IP 
address, as well as other attendant logical decisions such as: 
checking data packets and blocking or allowing the packets 
as a function of the rule sets, performing the physical 
redirection of data packets based on the rule sets, and 
dynamically changing the rule sets based on conditions. 
When the redirection server 208 receives information 
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regarding a terminated session from the authentication 
accounting server 204, the redirection server 208 removes 
any outstanding rule sets and information associated with 
the session. The redirection server 208 also checks for and 
removes expired rule sets from time to time. 5 

In an alternate embodiment, the redirection server 208 
reports all or some selection of session information to the 
database 206. This information may then be used for 
reporting, or additional rule set generation. 



10 



System Features Overview 



20 



In the present embodiment, each specific user may be 
limited to, or allowed, specific IP services, such as WWW, 
FTP and Telnet. This allows a user, for example, WWW 
access, but not FTP access or Telnet access. A user's access 
can be dynamically changed by editing the user's database 
record and commanding the Auto-Navi component of the 
authentication accounting server 204 to transmit the user's 
new rule set and current IP address to the redirection server 
208. 

A user's access can be "locked" to only allow access to 
one location, or a set of locations, without affecting other 
users' access. Each time a locked user attempts to access 
another location, the redirection server 208 redirects the user 2 s 
to a default location. In such a case, the redirection server 
208 acts either as proxy for the destination address, or in the 
case of WWW traffic the redirection server 208 replies to the 
user's request with a page containing a redirection com- 
mand. 30 

A user may also be periodically redirected to a location, 
based on a period of time or some other condition. For 
example, the user will first be redirected to a location 
regardless of what location the user attempts to reach, then 
permitted to access other locations, but every ten minutes the 35 
user is automatically redirected to the first location. The 
redirection server 208 accomplishes such a rule set by 
setting an initial temporary rule set to redirect all traffic; after 
the user accesses the redirected location, the redirection 
server then either replaces the temporary rule set with the 40 
user's standard rule set or removes the rule set altogether 
from the redirection server 208. After a certain or variable 
time period, such as ten minutes, the redirection server 208 
reinstates the rule set again. 

The following steps describe details of a typical user 45 
session: 

A user connects to the dial-up network server 102 through 
computer 100. 

The user inputs user ID and password to the dial-up 5Q 
network server 102 using computer 100 which for- 
wards the information to the authentication accounting 
server 204 

The authentication accounting server 204 queries data- 
base 206 and performs validation check of user ID and 55 
password. 

Upon a successful user authentication, the dial-up net- 
work server 102 completes the negotiation and assigns 
an IP address to the user. Typically, the authentication 
accounting server 204 logs the connection in the data- 60 
base 206. 

The Auto-Navi component of the authentication account- 
ing server 204 then sends both the user's rule set 
(contained in database 206) and the user's IP address 
(assigned by the dial-up network server 102) in real 65 
time to the redirection server 208 so that it can filter the 
user's IP packets. 



The redirection server 208 programs the rule set and IP 
address so as to control (filter, block, redirect, and the 
like) the user's data as a function of the rule set. 

The following is an example of a typical user's rule set, 
attendant logic and operation: 

If the rule set for a particular user (i.e., user UserID-2) was 
such as to only allow that user to access the web site 
www.us.com, and permit Telnet services, and redirect all 
web access from any server at xyz.com to www.us.com, then 
the logic would be as follows: 

The database 206 would contain the following record for 
user UserID-2: 



ID 

Password: 



### Rule Sets ### 



UserID-2 
secret 



#service rule 

http www.us.com 

http \ xyz.com => www.us.com 



expire 

0 

0 



the user initiates a session, and sends the correct user ID 
and password (UserID-2 and secret) to the dial-up 
network server 102. As both the user ID and password 
are correct, the authentication accounting server 204 
authorizes the dial-up network server 102 to establish a 
session. The dial-up network server 102 assigns 
UserID-2 an IP address (for example, 10.0.0.1) to the 
user and passes the IP address to the authentication 
accounting server 204. 

The Auto-Navi component of the authentication account- 
ing server 204 sends both the user's rule set and the 
user's IP address (10.0.0.1) to the redirection server 
208. 

The redirection server 208 programs the rule set and IP 
address so as to filter and redirect the user's packets 
according to the rule set. The logic employed by the 
redirection server 208 to implement the rule set is as 
follows: 

IF source IP-address-10.0.0.1 AND 
( ((request type«HTTP) AND (destination address^ 

www.us.com) ) OR (request type«=Telnet) 
) THEN ok. 
IF source IP-address=10.0.0.1 AND 
( (request type=HTTP) AND (destination address= 

*. xyz.com) 
) THEN (redirect^www.us.com) 
The redirection server 208 monitors all the IP packets, 
checking each against the rule set. In this situation, if IP 
address 10.0.0.1 (the address assigned to user ID UserID-2) 
attempts to send a packet containing HTTP data (i.e., 
attempts to connect to port 80 on any machine within the 
xyz.com domain) the traffic is redirected by the redirection 
server 208 to www.us.com. Similarly, if the user attempts to 
connect to any service other then HTTP at www.us.com or 
Telnet anywhere, the packet will simply be blocked by the 
redirection server 208. 

When the user logs out or disconnects from the system, 
the redirection server will remove all remaining rule sets. 

The following is another example of a typical user's rule 
set, attendant logic and operation: 

If the rule set for a particular user (i.e., user UserID-3) was 
to force the user to visit the web site www.widgetsell.com, 
first, then to have unfettered access to other web sites, then 
the logic would be as follows: 
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The database 206 would contain the following record for 
user UserID-3; 



ID 

Password: 



UserID-3 
top-secret 



### Rule Sets ### 
#service rule 

http *=>www. widgetsell.com 



expire 
Ix 



10 



the user initiates a session, and sends the correct user ID 
and password (UserID-3 and top-secret) to the dial-up 
network server 102. As both the user ID and password 15 
are correct, the authentication accounting server 204 
authorizes the dial-up network server 102 to establish a 
session. The dial-up network server 102 assigns user ID 
3 an IP address (for example, 10.0.0.1) to the user and 
passes the IP address to the authentication accounting 2 o 
server 204. 

The Auto-Navi component of the authentication account- 
ing server 204 sends both the user's rule set and the 
user's IP address (10.0.0.1) to the redirection server 
208. 25 

The redirection server 208 programs the rule set and IP 
address so as to filter and redirect the user's packets 
according to the rule set. The logic employed by the 
redirection server 208 to implement the rule set is as 
follows: 30 
IF source IP-address=10.0.0.1 AND 

(request type = HTTP) THEN (redirect^ 
www.widgetsell.com) 
THEN SET NEW RULE 

IF source IP-address=10.0.01 AND 35 
(request type=HTTP) THEN ok. 

The redirection server 208 monitors all the IP packets, 
checking each against the rule set. In this situation, if IP 
address 10.0.0.1 (the address assigned to user ID UserID-3) 
attempts to send a packet containing HTTP data (i.e., 40 
attempts to connect to port 80 on any machine) the traffic is 
redirected by the redirection server 208 to www.widgetsell- 
.com. Once this is done, the redirection server 208 will 
remove the rule set and the user if free to use the web 
unmolested. 45 

When the user logs out or disconnects from the system, 
the redirection server will remove all remaining rule sets. 

In an alternate embodiment a user may be periodically 
redirected to a location, based on the number of other 
factors, such as the number of locations accessed, the time 50 
spent at a location, the types of locations accessed, and other 
such factors. 

A user's account can also be disabled after the user has 
exceeded a length of time. The authentication accounting 
server 204 keeps track of user's time online. Prepaid use 55 
subscriptions can thus be easily managed by the authenti- 
cation accounting Server 204. 

In yet another embodiment, signals from the Internet 110 
side of redirection server 208 can be used to modify rule sets 
being used by the redirection server. Preferably, encryption 60 
and/or authentication are used to verify that the server or 
other computer on the Internet 110 side of redirection server 
208 is authorized to modify the rule set or rule sets that arc 
being attempted to be modified. An example of this embodi- 
ment is where it is desired that a user be redirected to a 65 
particular web site until the fill out a questionnaire or satisfy 
some other requirement on such a web site. In this example, 



the redirection server redirects a user to a particular web site 
that includes a questionnaire. After this web site receives 
acceptable data in all required fields, the web site then sends 
an authorization to the redirection server that deletes the 
redirection to the questionnaire web site from the rule set for 
the user who successfully completed the questionnaire. Of 
course, the type of modification an outside server can make 
to a rule set on the redirection server is not limited to 
deleting a redirection rule, but can include any other type of 
modification to the rule set that is supported by the redirec- 
tion server as discussed above. 

It will be clear to one skilled in the art that the invention 
may be implemented to control (block, allow and redirect) 
any type of service, such as Telnet, FTP, WWW and the like. 
The invention is easily programmed to accommodate new 
services or networks and is not limited to those services and 
networks (e.g., the Internet) now know in the art. 

It will also be clear that the invention may be imple- 
mented on a non-IP based networks which implement other 
addressing schemes, such as IPX, MAC addresses and the 
like. While the operational environment detailed in the 
preferred embodiment is that of an ISP connecting users to 
the Internet, it will be clear to one skilled in the art that the 
invention may be implemented in any application where 
control over users' access to a network or network resources 
is needed, such as a local area network, wide area network 
and the like. Accordingly, neither the environment nor the 
communications protocols are limited to those discussed. 

What is claimed is: 

1. A system comprising: 

a database with entries correlating each of a plurality of 

user IDs with an individualized rule set; 
a dial-up network server that receives user IDs from 

users' computers; 
a redirection server connected to the dial-up network 

server and a public network, and 
an authentication accounting server connected to the 

database, the dial-up network server and the redirection 

server; 

wherein the dial-up network server communicates a first 
user ID for one of the users' computers and a tempo- 
rarily assigned network address for the first user ID to 
the authentication accounting server; 

wherein the authentication accounting server accesses the 
database and communicates the individualized rule set 
that correlates with the first user ID and the temporarily 
assigned network address to the redirection server; and 

wherein data directed toward the public network from the 
one of the users' computers are processed by the 
redirection server according to the individualized rule 
set. 

2. The system of claim 1, wherein the redirection server 
further provides control over a plurality of data to and from 
the users' computers as a function of the individualized rule 
set. 

3. The system of claim 1, wherein the redirection server 
further blocks the data to and from the users* computers as 
a function of the individualized rule set. 

4. The system of claim 1, wherein the redirection server 
further allows the data to and from the users* computers as 
a function of the individualized rule set. 

5. The system of claim 1, wherein the redirection server 
further redirects the data to and from the users' computers as 
a function of the individualized rule set. 

6. The system of claim 1, wherein the redirection server 
further redirects the data from the users' computers to 
multiple destinations as a function of the individualized rule 
set. 
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7. The system of claim 1, wherein the database entries for 
a plurality of the plurality of users* IDs are correlated with 
a common individualized rule set. 

8. In a system comprising a database with entries corre- 
lating each of a plurality of user IDs with an individualized 5 
rule set; a dial-up network server that receives user IDs from 
users' computers; a redirection server connected to the 
dial-up network server and a public network, and an authen- 
tication accounting server connected to the database, the 
dial-up network server and the redirection server, the 10 
method comprising the steps of: 

communicating a first user ID for one of the users' 
computers and a temporarily assigned network address 
for the first user ID from the dial-up network server to 
the authentication accounting server; 15 

communicating the individualized rule set that correlates 
with the first user ID and the temporarily assigned 
network address to the redirection server from the 
authentication accounting server; 

and processing data directed toward the public network 
from the one of the users' computers according to the 
individualized rule set. 

9. The method of claim 8, further including the step of 
controlling a plurality of data to and from the users' com- 
puters as a function of the individualized rule set. 

10. The method of claim 8, further including the step of 
blocking the data to and from the users* computers as a 
function of the individualized rule set. 

11. The method of claim 8, further including the step of 3Q 
allowing the data to and from the users' computers as a 
function of the individualized rule set. 

12. The method of claim 8, further including the step of 
redirecting the data to and from the users' computers as a 
function of the individualized rule set. 

13. The method of claim 8, further including the step of 
redirecting the data from the users' computers to multiple 
destinations a function of the individualized rule set. 

14. The method of claim 8, further including the step of 
creating database entries for a plurality of the plurality of 4Q 
users' IDs, the plurality of users' ID further being correlated 
with a common individualized rule set. 

15. A system comprising: 

a redirection server programed with a user's rule set 
correlated to a temporarily assigned network address; 45 

wherein the rule set contains at least one of a plurality of 
functions used to control passing between the user and 
a public network; 

wherein the redirection server is configured to allow 
automated modification of at least a portion of the rule 50 
set correlated to the temporarily assigned network 
address; and wherein the redirection server is config- 
ured to allow modification of at least a portion of the 
rule set as a function of some combination of time, data 
transmitted to or from the user, or location the user 55 
access. 

16. The system of claim 15, wherein the redirection server 
is configured to allow modification of at least a portion of the 
rule set as a function of time. 

17. The system of claim 15, wherein the redirection server 60 
is configured to allow modification of at least a portion of the 
rule set as a function of the data transmitted to or from the 
user. 
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18. The system of claim 15, wherein the redirection server 
is configured to allow modification of at least a portion of the 
rule set as a function of the location or locations the user 
access. 

19. The system of claim 15, wherein the redirection server 
is configured to allow the removal or reinstatement of at 
least a portion of the rule set as a function of time. 

20. The system of claim 15, wherein the redirection server 
is configured to allow the removal or reinstatement of at 
least a portion of the rule set as a function of the data 
transmitted to or from the user. 

21. The system of claim 15, wherein the redirection server 
is configured to allow the removal or reinstatement of at 
least a portion of the rule set as a function of the location or 
locations the user access. 

22. The system of claim 15, wherein the redirection server 
is configured to allow the removal or reinstatement of at 
least a portion of the rule set as a function of some 
combination of time, data transmitted to or from the user, or 
location or locations the user access. 

23. The system of claim 15, wherein the redirection server 
has a user side that is connected to a computer using the 
temporarily assigned network address and a network side 
connected to a computer network and wherein the computer 
using the temporarily assigned network address is connected 
to the computer network through the redirection server. 

24. The system of claim 23 wherein instructions to the 
redirection server to modify the rule set are received by one 
or more of the user side of the redirection server and the 
network side of the redirection server. 

25. In a system comprising a redirection server containing 
a user's rule set correlated to a temporarily assigned network 
address wherein the user's rule set contains at least one of a 
plurality of functions used to control data passing between 
the user and a public network; the method comprising the 
step of: 

modifying at least a portion of the user's rule set while the 
user's rule set remains correlated to the temporarily 
assigned network address in the redirection server; and 
wherein the redirection server has a user side that is 
connected to a computer using the temporarily assigned 
network address and a network address and a network 
side connected to a computer network and wherein the 
computer using the temporarily assigned network 
address is connected to the computer network through 
the redirection server and the method further includes 
the step of receiving instructions by the redirection 
server to modify at least a portion of the user's rule set 
through one or more of the user side of the redirection 
server and the network side of the redirection server. 

26. The method of claim 25, further including the step of 
modifying at least a portion of the user's rule set as a 
function of one or more of: time, data transmitted to or from 
the user, and location or locations the user access. 

27. The method of claim 25, further including the step of 
removing or reinstating at least a portion of the user's rule 
set as a function of one or more of: time, the data transmitted 
to or from the user and the location or locations the user 
access. 
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